Kim Dotcom promises $13,600 to anyone who breaks Mega encryption

Following a barrage of criticism about the security of his recently unveiled Mega cloud storage service, Kim Dotcom is offering a $13,600 bounty to anyone who can crack the cryptography designed to prevent confidential files from being read by hackers or other unauthorized parties.

When the service debuted two weeks ago, Ars found its encryption methods included some "puzzling choices." The amount of entropy used during the key-generation process appeared to outsiders to be lacking, a potential vulnerability that could make it unnecessarily easy for someone to guess the bits needed to unlock someone else's private files. Mega's documentation was also vague on exactly how private crypto keys were secured.

Forbes reporter Andy Greenberg also took Mega to task, citing several cryptographers who doubted the reliability of the service's encryption scheme. Among other things, the experts criticized its reliance on JavaScript downloaded from Mega servers to encrypt files before uploading them to the service.

Ars has also reported another shortcoming in the service. Mega was sending new users an unencrypted confirmation e-mail containing not only a cryptographic hash of their password but other sensitive data as well, such as the encrypted master key used to decrypt the files stored in the account. That made it possible for anyone who retrieved the e-mail to run the hash through cracking software and potentially retrieve the password needed to access the account.

"Dotcom released a Mega beta that was so buggy he had to get cryptographers to point out all the mistakes," Matthew Green, a cryptographer at Johns Hopkins University, told Ars. "Then, after that, [he] starts offering to pay people money, saying, 'our stuff is so secure it can never be broken.' He's getting free consulting out of it."

It remains unclear from Dotcom's tweet exactly what he means by breaking Mega's encryption. Cryptographers use the word "break" to describe the results of any attack that's faster than brute force, even if the attack requires years or decades to ultimately crack the underlying key. It's unlikely that's what Dotcom had in mind. Would-be contestants should read the rules carefully before entering.

Look, the encryption algorithm is no theirs, it is industry grade. I've reviewed what they are doing and it is "proper".

The criticisms thrown at them - the open hashes and keys at the start would have to be stored if they were not sent that way. It is better to send them like that, than to ever store the key. Because that would be even more outrageous.

The fact is, mega is sound. Discussions of entropy are moot because that is not the encryption algorithm, it is the practice. The idea is not if it will fall under brute force, but if it can be easily cracked.

> It would have been sufficient to leave the headline in Euros and then provide the USD conversion in the article.

I agree. Plus, the conversion is always just an estimate: it'll be different tomorrow. It's also not what Kim Dotcom offered.

> and as an American I have no fucking idea how much a Euro is worth, so I appreciate the USD figure.

Just because you're an American, this doesn't necessarily mean you are supposed to be ignorant about the rest of the world, or shouldn't have a rough idea of the currency of the world's largest economy (the EU). And you know, there's always Google: http://bit.ly/VA0kX6

I would fathom Ars' primary demographic is America, and as an American I have no ... idea how much a Euro is worth, so I appreciate the USD figure.

Nor do I, but putting the decidedly oddball USD equivalent in the headline raised unnecessary questions in my mind ("Why the hell would he pick a number like that?"). It would have been sufficient to leave the headline in Euros and then provide the USD conversion in the article. I would find it no less jarring to see a UK headline quoting Steve Jobs' old $1 salary in pounds. Arbitrary numbers should be expressed in their original form first — then translate...

@sryan2k1: I'm guessing you don't have a passport, either.

ONE LAST THING: Exchange rates change, and sometimes they change quite quickly; so that articles like these can soon look out-of-date!

I see it's already been covered in depth, but the only reason I opened this article was to see why it was such an odd amount. I agree I would have much rather seen Euros in the title and a conversion listed if you thought it was necessary.

Seeing how the site's audience is mostly US-based it makes perfect sense to state the equivalent USD amount within the article. However, using the converted rate for the title is misleading and should never be done, no matter how obscure the original currency.

> It would have been sufficient to leave the headline in Euros and then provide the USD conversion in the article.

I agree. Plus, the conversion is always just an estimate: it'll be different tomorrow. It's also not what Kim Dotcom offered.

Good point. He didn't offer $13,600...

jamesmckenzie wrote:

> and as an American I have no fucking idea how much a Euro is worth, so I appreciate the USD figure.

Just because you're an American, this doesn't necessarily mean you are supposed to be ignorant about the rest of the world, or shouldn't have a rough idea of the currency of the world's largest economy (the EU). And you know, there's always Google: http://bit.ly/VA0kX6

I don't follow finance stuff. Don't care about it really much at all. And really, I doubt most people know (or care) about conversion rates, no matter what country their from.

Was it really necessary to convert the sum from euros to dollars? It's not exactly an obscure currency.

I would fathom Ars' primary demographic is America, and as an American I have no fucking idea how much a Euro is worth, so I appreciate the USD figure.

As an European, I had no idea why Kim chose such a strange amount as the prize.

And I wonder if after reading the article you still have no idea how much an Euro is worth in USD.

To the editor:

Why was this comment picked by the editor? I hate when editors pick only comments that seem to prove their point.

Also, by choosing that comment the editor shows his prejudice towards Americans, by assuming that most of them are ignorant and don't know the value of the Euro. I would find that offensive if I were American.

this doesn't necessarily mean you are supposed to be ignorant about the rest of the world, or shouldn't have a rough idea of the currency of the world's largest economy (the EU). And you know, there's always Google: http://bit.ly/VA0kX6

I know that a British Pound and Euro are worth slightly more than a dollar (as compared to the exchange rate of 4DM to the USD when I was stationed in the BDR). I also know that exchange rates change daily and unless I am going to travel to a country that uses a different currency the only reason I need to know the exchange rate is for comprehension (like in this article).

With all the criticism Ars and other organizations have thrown Mega's way for their encryption methods, the only thing that really matters is if someone can "break" it (no matter what the method, brute-force or otherwise) in less than a few years. If they can't, then it's proven to be good enough for what they need.

The true, practical test of whether the encryption is any good is if it succeeds in it's purpose for a time interval so long that no one will bother running a machine working the system long enough to work on getting around it. If it turns out they find "theoretically" it can be "broken", but it would take up to 10 years to do, then that doesn't really matter at all, because by that time they will have most likely changed to some other method.

It's too bad Ars didn't seem to approach things this way when they first started with their criticism. It's one thing to criticise something from a theoretical perspective. It's a completely different thing to do it from a practical perspective.

Sorry Ars, your headline is inaccurate. The exchange rate has changed and its now $13,667

Edit: It changed again, the figure is now $13,659

Edit: And again, now its $13,662

Take note: Dotcom offered €10,000. The value of €10,000 in any other currency changes every minute as exchange rates fluctuate. The established way of reporting foreign currency amounts is to say "Kim Dotcom promises €10,000($13,600) to anyone who breaks Mega encryption"

(I wonder if it was done this way because the author couldnt find the € symbol on his US layout keyboard. I have a UK layout keyboard and dont have it either. Pro-Tip type Alt+0128)

Its already broken, so he is just going to pay to have someone embarrass him further?

glenthas wrote:

I see it's already been covered in depth, but the only reason I opened this article was to see why it was such an odd amount. I agree I would have much rather seen Euros in the title and a conversion listed if you thought it was necessary.

Wait a second, New Zealand uses dollars (not U.S. dollar but the currency code NZD where the sign is $)

So New Zealand does not use Euros and uses dollars. So why are people arguing euro vs dollars when its correct to say $13,600 and not, for example, €10,000.

The question remains then if fat boy is offering $13,600 NZD or $13,600 USD.

Fat boy is in New Zealand, the site is an nz site (Mega.co.nz), so it makes more sense to think fat boy is offering $13,600 NZD and not euros.

So why did people jump to euros and argue about it should be euros when the article title and the offer amount are probably both correct?